/**
 * 最简单的Hook脚本：直接捕获AES密钥和ep原始值，验证它们是否相同
 */

console.log("\n" + "=".repeat(80));
console.log("数美SDK - 验证：ep原始值 = AES密钥");
console.log("=".repeat(80) + "\n");

function bytesToHex(bytes) {
    let hex = "";
    for (let i = 0; i < bytes.length; i++) {
        hex += ("0" + bytes[i].toString(16)).slice(-2);
    }
    return hex;
}

// 等待libsmsdk.so加载
setTimeout(function() {
    const soModule = Process.findModuleByName("libsmsdk.so");
    if (!soModule) {
        console.log("✗ 未找到libsmsdk.so");
        return;
    }
    
    console.log("✓ 找到libsmsdk.so @ " + soModule.base);
    
    // Hook AES加密函数 sub_4AAE4
    const aesEncAddr = soModule.base.add(0x4AAE4);
    console.log("✓ Hook sub_4AAE4 (AES加密) @ " + aesEncAddr);
    
    Interceptor.attach(aesEncAddr, {
        onEnter: function(args) {
            const keyPtr = args[3];
            const keyLen = args[4].toInt32();
            
            if (keyLen === 256) {  // 如果是256字节
                const key = keyPtr.readByteArray(keyLen);
                console.log("\n🔑 AES加密使用的密钥（256字节）:");
                console.log(bytesToHex(Array.from(new Uint8Array(key))));
            } else if (keyLen === 32) {  // 如果是32字节
                const key = keyPtr.readByteArray(keyLen);
                console.log("\n🔑 AES加密使用的密钥（32字节）:");
                console.log(bytesToHex(Array.from(new Uint8Array(key))));
            } else {
                console.log("\n🔑 AES加密使用的密钥（" + keyLen + "字节）:");
                const key = keyPtr.readByteArray(Math.min(keyLen, 256));
                console.log(bytesToHex(Array.from(new Uint8Array(key))));
            }
        }
    });
    
    // Hook RSA加密函数
    const rsaEncrypt = Module.findExportByName("libcrypto.so", "RSA_public_encrypt");
    if (rsaEncrypt) {
        console.log("✓ Hook RSA_public_encrypt @ " + rsaEncrypt);
        
        Interceptor.attach(rsaEncrypt, {
            onEnter: function(args) {
                const flen = args[0].toInt32();
                const from = args[1];
                
                console.log("\n📦 RSA加密前的明文（" + flen + "字节）:");
                const plaintext = from.readByteArray(flen);
                console.log(bytesToHex(Array.from(new Uint8Array(plaintext))));
            }
        });
    }
    
    console.log("\n✓ Hook设置完成，等待调用...\n");
    
}, 100);



